All businesses can significantly boost their information security by implementing fundamental elements of cybersecurity – vulnerability scanning, patch application, antivirus and anti-malware tools, firewalls and companywide security policies featuring well-established best practices. These should all be standard procedures for your company, given the risks businesses face today (which are considerable, as we saw in part one of this series).
That said, those measures shouldn’t be your organization’s be-all, end-all, at least not across the board. In part two of our deep dive into cyber hygiene, we’ll take a look at the more substantial (and, in some cases, more complex) factors you should consider when looking to devise a truly effective infosec strategy for your business.
Establishing threat-severity assessment
Determining the severity of a threat is key when figuring out how quickly you need to address a given vulnerability. “As fast as possible” may seem like a reasonable rule but quickly becomes unsustainable with the volume of vulnerabilities disclosed on a regular basis. Microsoft regularly releases patches for over 100 vulnerabilities every month. In the last year alone, over 18,350 new vulnerabilities were reported across the broader threat landscape.
The most basic rubric for assessing cyberthreats is the Common Vulnerability Scoring System (CVSS), which is overseen by the Forum of Incident Response and Security Teams (FIRST).1 While worth looking at as a baseline, it has certain flaws that make it untenable as a single vulnerability assessment system – most notably its strict focus on technical impact rather than realistic threat level.2 More than 13% of the 60,000 vulnerabilities catalogued by CVSS have scores of 9.0 (High) or 10.0 (Critical), which makes it difficult for organizations to properly prioritize threats.
Businesses can maximize their risk reduction by adopting dynamic threat metrics based on real-time attacker activity. For example, Tenable’s Vulnerability Priority Rating (VPR) incorporates a variety of threat intelligence signals – such as exploit kit availability and dark web chatter – to make an informed projection regarding the vulnerabilities attackers are most likely to exploit next. This way, you account for vulnerabilities that become more or less dangerous over time. And once you know which exposures to prioritize, you can use an Asset Criticality Rating (ACR) to further refine your remediation efforts and identify the most business-critical hosts to fix first.
Relying on thorough attack vector analysis
Because you have so many other things to think about while running a business, it may be tempting to stick to the basics as you remediate certain vulnerabilities. In a handful of cases, that will be all you need to do – apply a patch or implement another appropriate solution and move on. But if you take the time to look at the threat very closely in the midst of the identification and interdiction process, before you apply the patch or implement any other necessary fix, you may significantly reduce your likelihood of being hit by a similar vulnerability in the future.
Processes like threat modeling and penetration testing are valuable because they allow you to examine exactly how a particular vulnerability, if exploited, would harm your network – in explicit detail. A penetration test may be especially useful because it essentially functions as a live, second-by-second demonstration of how a vulnerability is leveraged by a cyberattacker. This type of granular detail can help your organization determine what its cybersecurity strategy should look like going forward.3 Meanwhile, addressing the danger of certain cyberthreats, such as ransomware, requires not only patching vulnerabilities but also preparing a series of backups and contingency plans for your data.4
Setting up secure configurations
The behavior of hosts and applications is determined through configurations. As you might imagine, these initial presets come from manufacturers and developers, and are often engineered for ease of use rather than optimal security.5
Examining the configurations of hardware and software on your network and rectifying any security-related shortcomings can go a long way toward boosting the state of your business’s overall cybersecurity. Benchmarks from the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) can serve as strong standards for ideal configuration: These guidelines are available for dozens of operating systems and applications, and while comprehensive, they’re not solely for expert use (though you may need to work with a consultant on implementation if you don’t have an IT team on payroll).
Auditing for optimal compliance
This segment of cybersecurity focuses not on finding, modeling or eliminating vulnerabilities, but rather on ensuring your systems are compliant with various government and industry standards. The most obvious example of this issue’s importance, especially for small- and medium-sized businesses (SMBs) would be the PCI DSS guidelines: Nearly every business accepts credit and debit card payments, and if yours isn’t protecting payment data appropriately, you’re not only exposing customers to identity theft but also setting yourself up for noncompliance penalties.6
The same risk applies, in varying degrees, to other notable regulations, including HIPAA, the GDPR (for businesses with European business dealings) and the California Consumer Privacy Act (if you have customers or business partners in the Golden State). Conducting thorough compliance auditing from time to time ensures that sensitive customer information is protected and provides a solid foundation for maintaining regulatory compliance and reducing your chances of encountering cyberthreats.
Managing diverse assets
Crafting a more nuanced cybersecurity strategy must also extend to assets you may not think much about day to day but are still extremely important to operations. If you use any cloud storage, your provider will likely cover some bases as far as security goes,7 but this isn’t guaranteed, so you’ll need to check the terms of your service-level agreement and know exactly what security responsibilities you’re expected to cover. As a rule of thumb, your cloud provider handles security “of the cloud” (protecting the infrastructure that runs all of the services offered by the provider) while you are responsible for security “in the cloud” (configuration and management tasks along with application updates and patches among other items). Similar logic applies if you use virtual private networks (VPNs) for certain data transmissions, or rely on a mobile device management (MDM) platform to oversee company-issued smartphones. You must determine how much of the security for these tools you need to set up on your own and how much (if any) is integrated into either system.
Last but not least, you should consider examining your key applications and creating an “allowlist” – a policy that ensures only apps on that list of approved tools can run on your system.8 While this may take some time to establish, as it must cover applications at the controller and server levels, within databases and on individual computers and other devices, the degree of protection it allows for is well worth it.
At the end of the day, you should consider proper cyber hygiene to be one of your business best practices – alongside other everyday practices such as proper accounting, exemplary customer service and maintaining high employee morale.